IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ubiquiti insider says the company downplayed the severity of a major breach

Attackers reportedly accessed company source code

Internet of things (IoT) manufacturer Ubiquiti allegedly downplayed the severity of a data breach it revealed in January, according to reports.

Security blogger Brian Krebs, a former Washington Post reporter, spoke to a security professional claiming to work for Ubiquiti. The employee said the breach was "catastrophic", and the company downplayed the fallout to minimize the effect on its share price.

Ubiquiti makes IoT equipment, including mesh Wi-Fi systems. In January, it warned customers that intruders accessed systems hosted by a third-party cloud provider. "We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed," Ubiquiti said at the time. 

Exposed data might include names, email addresses, and encrypted account passwords, the company added, before encouraging people to change their passwords as a cautionary measure.

The security professional said the breach was far worse than the company let on. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” he told Krebs.

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

According to Krebs' source, the cloud service provider was Amazon Web Services, and the hackers got full administrative access to servers there after finding a Ubiquiti employee's password. This allegedly allowed them read/write access to Ubiquiti's databases, cryptographic secrets for users' online sessions, and sign keys and source code. 

The breach also gave the attackers root access to all of the companies' AWS accounts, including all S3 data buckets, the source continued.

This reportedly enabled the attackers to authenticate remotely to Ubiquiti devices worldwide.

Ubiquiti reportedly found a back door the attackers left in the system, but the attackers tried to blackmail the company for 50 bitcoins to stay quiet. The company refused to engage the attackers, according to Krebs' story.

Instead of suggesting a password change, the company should have forcibly changed them, along with reverting device access permissions, the source said. However, the company's legal department overrode those requests.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Modernise your legacy databases in the cloud
Whitepaper

Modernise your legacy databases in the cloud

10 Jun 2022
Deploying flexible data protection to support cloud workload placement
Whitepaper

Deploying flexible data protection to support cloud workload placement

10 Mar 2022
Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Europol ordered to delete huge cache of unlawfully stored data
data protection

Europol ordered to delete huge cache of unlawfully stored data

11 Jan 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022